COMMAND

    hotmail

SYSTEMS AFFECTED

    Hotmail

PROBLEM

    Georgi Guninski found  yet another major  Hotmail security hole  -
    injecting  JavaScript  using  "javasCript.   There  is  a major
    security  flaw  in  Hotmail  which  allows injecting and executing
    JavaScript code in an email message using the javascript protocol.
    This exploit works  both on Internet  Explorer 5.0 (guess  IE 4.x)
    and Netscape Communicator 4.x.  Hotmail filters the  "javascript:"
    protocol for security  reasons.  But  it does not  filter properly
    the following  case: "javasCript:"  where "C"  is the  ASCII
    code of "C".  So the following HTML is executed

        <IMG SRC="javasCript:alert('JavaScript is executed');">

    if  the  user  has  enabled  automatically loading of images (most
    users  have).   Probably  this  may  be  used  in other HTML tags.
    Executing JavaScript  when the  user opens  Hotmail email  message
    allows for example displaying a  fake login screen where the  user
    enters his password which is then stolen.  No scary demonstration,
    but guess is that it is also possible to read user's messages,  to
    send messages from user's name and doing other mischief.   Hotmail
    deliberately escapes  all JavaScript  (it can  escape) to  prevent
    such attacks, but obviously there are holes.  It is much easier to
    exploit this vulnerability if the user uses Internet Explorer 5.0.
    This is not a browser problem, it is Hotmail's problem.  The  code
    is:

        <IMG SRC="javasCript:alert('JavaScript is
        executed');a=window.open(document.links[2]);setTimeout('alert(\'The
        first message in your Inbox is from :
        \'+a.document.links[26].text)',20000)">

SOLUTION

    Workaround: Disable JavaScript